Zero-day Exploit Emerges, Bypasses Windows 7 UAC

Prevx, reports that a serious 0-day flaw has been publically disclosed on a Chinese board, "This's a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem. It's a privilege escalation exploit which allows even limited user accounts to execute arbitrary code in kernel mode," wrote Marco Giuliani.Giuliani warned that […]

Prevx, reports that a serious 0-day flaw has been publically disclosed on a Chinese board, "This's a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem. It's a privilege escalation exploit which allows even limited user accounts to execute arbitrary code in kernel mode," wrote Marco Giuliani.

Giuliani warned that Windows XP, Vista and Windows 7 were all vulnerable to attack, including 32-bit and 64-bit editions. The vulnerability is located in Win32ksys's NtGdiEnableEUDC API according to Prevx. The API isn't correctly validating some inputs resulting in a stack overflow.

A malicious attacker could redirect the overwritten return address to their malicious code and execute it with kernel mode privileges. As the flaw is a privilege escalation exploit, it bypasses the User Account Control (UAC) and Limited User Account technologies implemented in Vista and Win7.

Prevx says "we've not yet detected any malware exploiting this flaw. We expect to see this exploit being actively used by malware very soon - it's an opportunity that malware writers surely won't miss."

Microsoft has confirmed it's investigating public proof of concept code for a new un-patched flaw in Windows.

[Source]